FEDERAL BUREAU OF INVESTIGATION 
FOI/PA 

DELETED PAGE INFORMATION SHEET 
FOI/PA# 1389544-0 


Total 

Deleted Page(s) 

= 68 

Page 

3 ~ 

b3; 

b6; 

b7C; 

b7E; 

Page 

4 ~ 

b3; 

b6; 

b7C; 

b7E; 

Page 

5 ~ 

b3; 

b6; 

b7C; 

b7E; 

Page 

7 ~ 

b3; 

b6; 

b7C; 

b7E; 

Page 

8 ~ 

b3; 

b6 ; 

b7C; 

b7E; 

Page 

g ~ 

b3; 

b6; 

b7C; 

b7E; 

Page 

10 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

11 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

12 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

13 

~ b3 

; b6; 

b7C ; 

b7E; 

Page 

14 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

15 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

16 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

17 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

18 

~ b3 

; b6; 

b7C; 

b7E; 

Page 

19 

~ b3 

; b6; 

b7C; 

b7E; 


Page 46 ~ Duplicate; 


Page 

52 ~ 

b7E; 



Page 

53 ~ 

b7E; 



Page 

54 ~ 

b7E; 



Page 

55 ~ 

b7E; 



Page 

56 ~ 

b7E; 



Page 

57 ~ 

b7E; 



Page 

58 ~ 

b7E; 



Page 

59 ~ 

b7E; 



Page 

108 

~ b6; 

b7C; 

b7E; 

Page 

109 

~ b6; 

b7C; 

b7E; 

Page 

110 

~ b6; 

b7C; 

b7E; 

Page 

111 

~ b6; 

b7C; 

b7E; 

Page 

112 

~ b6; 

b7C; 

b7E; 

Page 

113 

~ b6; 

b7C; 

b7E; 

Page 

114 

~ b6; 

b7C; 

b7E ; 

Page 

115 

~ b6; 

b7C; 

b7E; 

Page 

116 

~ b6; 

b7C; 

b7E; 

Page 

117 

~ b6; 

b7C; 

b7E; 

Page 

118 

~ b6; 

b7C; 

b7E; 

Page 

119 

~ b6; 

b7C; 

b7E ; 

Page 

120 

~ b6; 

b7C; 

b7E; 

Page 

121 

~ b6; 

b7C; 

b7E ; 

Page 

122 

~ b6; 

b7C; 

b7E; 

Page 

123 

~ b 6; 

b7C; 

b7E ; 

Page 

124 

~ b6; 

b7C; 

b7E; 

Page 

125 

~ b6; 

b7C; 

b7E ; 

Page 

126 

~ b6; 

b7C; 

b7E ; 

Page 

127 

~ b 6; 

b7C; 

b7E; 

Page 

128 

~ b 6; 

b7C; 

b7E; 

Page 

129 

~ b6; 

b7C; 

b7E; 

Page 

130 

~ b 6; 

b7C; 

b7E; 






Page 

131 

~ 

b6; b7C; b7E; 

Page 

132 

~ 

b7E; 

Page 

133 

~ 

b7E; 

Page 

134 

~ 

b7E; 

Page 

135 

~ 

b7E; 

Page 

136 

~ 

b7E; 

Page 

137 

~ 

b7E; 

Page 

138 

~ 

b7E; 

Page 

139 

~ 

b7E; 

Page 

141 

~ 

b7E; 

Page 

142 

~ 

b7E; 

Page 

143 

~ 

b7E; 

Page 

144 

~ 

b7E; 

Page 

148 

~ 

b7E; 

Page 

156 

~ 

b7E; 

Page 

157 

~ 

b7E; 

Page 

158 

~ 

b6; b7C; b7E; 

Page 

161 

~ 

b7E; 

Page 

167 

~ 

b6; b7C; b7E; 

Page 

180 

~ 

b7E; 


xxxxxxxxxxxxxxxxxxxxxxxx 

X Deleted Page(s) X 
X No Duplication Fee X 
X For this Page X 
XXXXXXXXXXXXXXXXXXXXXXXX 





FD-1057 (Rev. 5-8-10) 


UNCLASSIFIED 

BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U) To request case be opened Date: 03/06/2017 


CC: 


From: ATLANTA 

AT-CY1 

Contact : SA 


Approved By : S SA 


b3 

b6 
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b7E 


Drafted By : SA 


Case ID #: 


(U) UNSUB(S); 

KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U) To request case be opened and assigned to the writer. 


set to expire 


Details: 

On March 1, 2017, a professor at Kennesaw State University ("KSU") 
was contacted by an Atlanta-based security firm about an alleged b7E 

vulnerability in the KSU website elections.kennesaw.edu that contains 
voter registration information for counties across the state of 
Georgia. The Atlanta-based security firm was contacted by a security 
researcher that found the vulnerability and was able to exploit the 
vulnerability. This allowed the security researcher to obtain the voter 
registration information. The professor immediately notified KSU's 
Chief Information Security Officer ("CISO") about the potential 
vulnerability. 


KSU notified the FBI about the incident. On March 3, 2017, the FBI 
met with members of the KSU to discuss the incident. 

Based on the above information, the writer requests a 


UNCLASSIFIED 









UNCLASSIFIED 
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UNCLASSIFIED 


2 




FD-94I (2-26-01) 


CONSENT TO SEARCH COMPUTER(S) 


I.__ C > &<*-y ___. have been asked by Special Agents of the 

Federal Bureau of Investigation (FBI) to permit a complete search by the FBI or its designees of any and all computers, 
any electronic and/or optical data storage and/or retrieval system or medium, and any related computer peripherals, 
described below: 

_ <2 _ A . i & , Tet -c . « _^ & rr 2i f- Q JL. _ 

CPU Make, Moder & Serial Number (il'Wvailable) ' ^ 


Storage or Retrieval Media. Computer Peripherals 


and located at (OOP _ f \,J Icca* e*>w OA 


_. which I own, possess. 


control, and/or have access to. for any evidence of a crime or other violation of the law. The required passwords, logins. 

and/or specific directions for computer entry are as follows:__ 

I have been advised of my right to refuse to consent to this search, and I give permission for this search, freely 
and voluntarily, and not as the result of threats or promises of any kind. 

I authorize those Agents to take any evidence discovered during this search, together with the medium in/on which 
it is stored, and any associated data, hardware, software and computer peripherals. 


3-3 A? 



Location 


sr?/ n 


Z of [5 
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FEDERAL BUREAU OF INVESTIGATION 


b3 

. b7E 

' 0$S 5 S<C!S&*. : 


Date of entry 03/10/2017 


date 


residence located at 


of birth ( DOB ) 


was inte rviewed at his 
After being 


advised o f the i dentity of the interviewing Agents and the nature of the 
interview,) [provided the following information: 


is a 


at a company named BASTILLE located at 


1000 Marietta Street, Suite 224, Atlanta, Georgia. The company specializes 


in research on enterp pise 
working for BASTILLE, 


treats through software-defined radio. Prior to 
worked for the Oak Ridge National Lab (ORNL) 


located in Oak Ridge, Tennessee. |~ [ stated he left ORNL to explore 
working at a start-up company. 


In the summer of 2016, 


stated he wanted to research election voter 


machines and whether they were susce ptible to various wireless 


vulnerabilities among other attacks. 


initially reached out to the 


Fulton County Government Center in order to obtain an election voter 
machine. However, personnel at the Fulton County Government Center 
instructed ! I to contact Kennesaw State University (KSU) since KSU 
oversees Georgia's election operations and voting machines. 


Prior to contacting KSU, 


conducted research on KSU's Center for 

stated he 


Election Systems (CES) we bsite (elections.kennesaw.edu). 
used a technique known as[ 


b6 

b7C 

b7E 


website, 


1 in u snm u ns. cm nrnmn s namsr m s ces 


In addition, 


identified that the CES website was running a 


Lastly,| 


|research showed KSU's CES was utilizing the 


□ 


Investigation on 03/03/2017 at Atlanta, Georgia, United States (In Person) 

Date drafted 03/07/2017 


File# 


by 


SAl 


b3 

b6 

b7C 

b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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Continuation of FD-302 of 


(U) Interview of 


03/03/2017 Page 2 of 3 


|_| contacted Merle King who is the Executive Director at KSU's CES 

about his findings and his interest in conducting vulnerability research on 
the election voting machines. King stated KSU would "look int o" his 

findings. However, King was not very receptive of the idea of_ 

researching the election voting machines. In fact. King to ldl that the 

people downtown woul d not appreciate him poking around and "just 

needed to drop it." | [ stated during this time he consulted with the 

Electroni c Fron tier Foundation (EFF) to make sure that he was not violating 
any laws- T [ advised he maintained all of his communications with King 
and KSU should the FBI need them. 




was unsuccessful in finding alternative contacts at KSU to discuss 


this matter so he just dropped it. stated he thought about contacting 

the FBI but did not want to get things spun up prior to the elections. 

| [ rec alled, on or ab out Wedne sday, March 1, 2017, he was having 

drinks with_ who|_de scribe d as being i n the security 


research community 
the 2016 elections 


g th is time, J~ | 


told 


the CE S website and King’s response. |_ t 

who i s a pr ofessor at KSU who could help 
vulnerable. stated he would check and let 


is i nitia 
told 



started discussing 
findings rel ated t o 
that he knows T I 
ebsite was still 
know. 


On the same day,| 


stated he ran 


___| This data 

included Georgia's voter registration records._ reviewed some of the 

data which included training material on how to setup an election voting 
machine. 

stated he ran 


did not know the specific IP a 
at the time he executed the script. However, 
Internet Service Provider Gigamonster. 


that was assigned to him 
stated he uses the 


At the time of the interview 
downloaded from the CES website 


anyone 

whicn 


Spe cial Agent |_ 

agreed to do. 


, | | still had a copy of the data 

but ha d not disseminated the data to 
_| instructed| |to delete the data 


At the conclusion of the interview,] |expressed concern about the 

state of the CES website and asked the agents if anything was going to be 


done about it being wide-open. 


Istated. if he had malicious intent. 







stated he could be contacted via his cell phone number 
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UNCLAS SIFI ED //^UO 
FEDERAL BUREAU OF INVESTIGATION 


Date of entry 03/10/2017 


On March 3, 2017, representatives from the Atlanta Division of the 
Federal Bureau of Investigation (FBI) as well as the United States 
Attorney's Office, Northern District of Georgia (USAO-NDGA), met with 
executives of Kennesaw State University (KSU). The individuals in 
attendance included: 


Federal Bureau of Investigation 


Supervisory Special Agent 
Special Agent 


Special Agent 
Computer Scientist 


United States Attorney's Office 


Assistant United States Attorney 


Kennesaw State University 

Lectra Lawhorne, Chief Information Officer/VPIT 
Stephen C. Gay, Chief Information Security Officer 
Jeff Milsteen, Chief Legal Affairs Officer 
Andrew Newton, Associate General Counsel 


b6 

b7C 

b7E 


outlining t he event up 
a professor 


KSU Executives provided the FBI with a document 
to March 1, 2017. In summary, GAY was contacted by 
in the Information Assurance and Security Program regarding a third party 
report he had received from an "Atlanta based security firm" which alleged 
users were able to explo it KSU's Center for Election Systems (CES) web site 
(elections.kennesaw.edu) 


counties across 

the State of Georgia. Following this notification, GAY 

initiated KSU'sf 





GAY's team did not obtain a volatile memory dump or a forensic image of 
the server hosting the CES website. The server was powered off and placed 
in a secure room. GAY stated his team is maintaining a Chain of Custody for 
the server. 


GAY advised the files that were accessible contained voter data to 


UNCLASSIFIED//F 


F^O 


Investigation on 03/03/2017 


at Kennesaw, Georgia, United States (In Person) 

File# 



Date drafted 03/07/2017 

by 


SA 




This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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UNCLAS SIFI ED / / F^O 


(U) FBI/USAO-NDGA Meeting with KSU 

Executives q., 03/03/2017 Pa „ e 2 of 2 

:— Name, — Address, — Laat — four digita —ef— SSN, ' DOB,— Driver’a Litet»e- 

Number, and Party Affiliation. He also stated some of the records may 

contain full SSNs as the State of Georgia previously used SSNs as an 

individual's Georgia Driver's License Number. 


Continuation.of FL1-302, of 
incluae 


GAY dfpitpH Ts'FTT Mas_ aJaJ £ to nrpqprvp___U_ files _from the_ser^mr to _j nr] nrjp 


both the 


GAY stated in August 2016, a security researcher from BASTILLE in 
Atlanta, Georgia had contacted KSU regarding a vulnerability associated 
with CES website and KSU had addressed it. 


b7E 


GAY identified MERLE KING as the Executive Director of the Center for 
Election Systems. KING would be able to answer any questions about who 
should have legitimate access to the CES website. 

A digital copy of the summary provided by GAY has been placed in the 1A 
section of the captioned case file. 


UNCLAS SIFI ED / / F^TO 




Center for Elections System Incident - 03/01/2017 


Incident background: 


Stephen G ay (KSU CISO) was contacted by Professor]_| (KSU| 

Professor) regarding a 3 rd -party report he had received from an "Atlanta based security firm". 


This initiai call was at 9:29pm on Wednesday March 1 st and alleged that through the use ofl 


for 


counties across the State of Georgia. Stephen immediately activated the UITS incident response team to 
validate the vulnerability, which was confirmed by the senior engineer. Stephen noti fied Lectra 
Lawhorne (KSU CIO), at 11:00pm regarding the notice and vulnerability. At 11:20pm, I 


b6 

b7C 

b7E 


Potential Impact: 

High. The discovered vulnerability is challenging to recreate, requiringf 


Current progress: 

Members of the UITS Information Security Office 
members of the Center for Election Systems (Merle King] 


met with 


end Michael Barnes) on 03/02/17 


to discuss the incident, extract the logs for analysis, and begin aligning resources toward the hardening 
of the elections.kennesaw.edu servers. The Center Director, Mr. King, informed all parties that he would 
need to keep the Georgia Secretary of State "in the loop" since he (The Secretary of State) was the data 
custodian for the Center of Elections data. Mr. King further advised that he had been in contact with him 
regarding the incident and that the Secretary of State was "ok" with our investigation although he 
requested to receive regular updates. 


Stephen Gay briefed the CIO regarding the incident and notified the USG HelpDesk regarding this 
incident, per KSU I ncident Response Procedures (USG Ticket number USG-INC0014152). A t 11:00am on 

3/2/17, UITS begar j | _ 

elect ions, kennesaw.edi j _ 

| | extend back to February 16 th , 2017 due to system configuration and initial examination identified a 
single database file which contained 6.7 million records of what appears to the voter data. At 3:24pm, 
log review determined that: 


b6 

b7C 

b7E 


• 40 IP Addresses accessed 1 or more database files ~ 
® 17 IP Addresses accessed 1 or more zip archives 


Last Updated: 03/03/17 






At 4:30pm 3/2/17, a conference call was held with KSU Representatives, The Georgia Secretary of 
State's Office, The Center for Election Systems, KSU Legal Affairs, and others. The call was to bring all 
parties up to speed and discuss next steps. Under the direct ion of the KSU CIO, at 7:00pm 03/03/17, 
UITS staff member^ 
for elections systeni 


met with Merle King and seized the center 
|(KSU Tag 103019). A chain of evidence form was completed for the 
transaction and the server locked in UITS ISO Secure Storage (Pilcher 109A) which is behind auditable 
locks. 


The initial incident reporter 
8:00pm 3/3/17 


provided the following activity from the security researcher at 


® Wednesday 02/22/17 - 6:00PM - 12:00AM EST - traffic originated from an Atlanta IP address and 
an IP address from Switzerland 

® Friday 02/24/17 - 12:00PM - 8:00PM EST - traffic originated from an Atlanta IP address 
® Tuesday 02/28/17 - 5:00PM - 12:00AM EST - traffic originated from an Atlanta IP address 
® Wednesday 03/01/17 - 7:00PM - 10:00PM EST - traffic originated from an Atlanta IP address 

UITS ISO Staff are currently working to use this additional data to correlate events to actors. 
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Last Updated: 03/03/17 
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CES Server: 



Investigation on 03/03/2017 at Kennesaw, Georgia, United States (In Person) 



This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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UNCLASSIFIED//fbuo 




(U) FBI Meeting with KSU Information 
Continuation of FD-302 of Technology (IT) Personnel 


.On 


03/03/2017 


. Page 


2 of 2 



b7E 


On or about August 2016, 


company 


named BASTILLE, shared vulnerabilities that he discovered in the CES Ser ver 
with MERLE KING, Executive Director at KSU's CES. It was believed 


b6 

b7C 


reached out to KING because he had been interviewed by media outlets, such 
as the Washington Post, and stated the election voter machines were 

unhackable. After_ initial contact, KING asked KSU IT personnel to 

block email from bastille.net. 


KSU maintains officially sanctioned twitter accounts for communication 
with the public. One of these accounts, @KSUVote, was used to share 
communications regarding the Center for Election Systems. 


At the conclusion of the interview, 
email in which 


_provided a hardcopy of an 

| [contacted KING on August 28, 2016. 


Lastly, KSU IT personnel escorted the FBI to the location where the CES 
server was being securely stored. GAY signed a FD-941 "Consent to Search" 
form and relinquished custody of the CES server to the FBI. GAY was 
provided a copy FD-597 "Receipt for Property" form. 


Copies of the FD-941 "Consent to S earch" f orm. 
Property" form, and a digital copy of 


FD-597 "Receipt for 
(email along with the flash 


drive referenced above will been placed in the 1A section of the captioned 
case file. 


UNCLASSIFIED// 









3/3/2017 


Zimbra 


Zimbra 

RE: [IMPORTANT] concerning the security of elections.kennesaw.edu 


Wed, Aug 31, 2016 02:46 PM 


Subject : RE: flMPORTANTI concerning the security of ele cbons.kennesaw.edu 

To I _ 

O I 'Mirhapl Barnesl 



When ts the e;irwe can schetfote more. 





Security Office 

Ifni yd's ctv inter nation Technology Services (UITSJ 
Xenncssw State University 
Technology Sersncas Blt%. Rr* 03i 
107$ CantPf! W 

Kfcpra^ffitf tift Whifl 

*4_I 

fax: KTS-SiS-'mt) _ 

i . i- 

From:l 


weanesaav. august sjl. zuio 





[Michael Barne: 


_ 



Subject: Re: | IMPORTANT! concerning the security of elections.kennesaw.edu 


anything in|_|we should be concerned abou 

It has been immensely beneficial. 


| Let me know if there is 

nay not fix. Thanks tor all the help, we really appreciate your time. 


KSU Center for Election Systems 
3205 Campus Loop Road 
Kennesaw. GA 30144 
P|_|F: 470-578-9012 

On Aug 31, 2016, at 10:34 AM,[ 


nmpleted last night and I will share the results as soon as my current meeting completes. 



Information Security Office 


1/10 










3/3/2017 


Zimbra 


University Information Technology Services (UITS) 
Kennesaw State University 
Technology Services Bldg. Rm 031 
1075 Canton PI 



Sounds good to us. Thanks 



What is the status of the £ 


available options made it difficult to choose while not really understanding them. 


I couldn't find where it had been run and when I went to run | | the 


KSU Center for Election Systems 
3205 Campus Loop Road 
K ennesaw. GA 30 141 
P: | H P: 470-578-9012 


b6 

b7C 
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On Wed. Aug 31, 2016 at 9:56 AM -0400,1 

J> wrote: 

h.I 1 

will focus more SDecificallv on the 

, In addition to Ihd 1 we'd also like! b 

1 T 1 - T 

will reach out to you 

[ _._ 



Regards, 


Information Security Office 
University Information Technology Services (UITS) 
Kennesaw State University 
Technology Services Bldg, Room 026 
1075 Canton PI, MB #3503 
Kennesaw CA 30144 
Phone]_ 


F a x ; ISZm 578 - 9Q5 J. 


-Orininal Messane ■ 

FromJ 
To] 

Cc:[ 


L 


"Michael Barnes! 


X 


Sent: Tuesday, August 30, 5016 2:03:57 M- 

Subject: RE: [IMPORTANT] concerning the security of eied.:ik®s [ kltOO.e&&y. t e.dU 


Yes, this will be J~ 


b7E 



2/10 






3/3/2017 


Zimbra 


Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 

Technology Services Bldg. Rm 031 

1075 Canton PI 

Kennesaw, GA 30144 

Te d I 

Fax: 878-91 5-4940_ 


From | 

Sent: mesrtav. flunnsl: 3l). 7U1 h i/i7T 

T°C 

Cel 


5 


I Michael Barnes 


I 


Subject: Re: [IMPORTANT] concerning the security of eSections.kannesaw.ed u 


b6 

b7i 

b7] 


Just to clarify, are the required credentials f 


KSU Center for Election Systems 
3205 Campus Loop Road 
K ennesaw. GA 30 144 
P: | 1 F: 470-578-9012 






3/3/2017 


Zimbra 






Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 

Technology Services Bldg, Rm 031 

1075 Canton PI 



KSU Center for Election Systems 
3205 Campus Loop Road 
Kennesaw. GA 30144 
P: F: 470-578-9012 






3/3/2017 


Zimbra 




Regards, 



University Information Technology Services (UITS) 
Kennesaw State University 
Technology Services Bldg, Room 026 
1075 Canton PI, MB #3503 
Kenne 
Phone 

Fax: (4701 578-9051 




Good afternoorj 11 wanted to reach out for some assistance with our 
website as suggested in Stephen's email below. 

For some background information ! [ and I have taken responsibility for 
the web site here at Center for Election Systems ! I 

I before either of us were employed here and we have spent the last 
several years simply maintaining it in the order it had been working 
previously Obviously this has become untenable in the current atmosphere, 
anq and I must learn more to get the security of the website under 
control. In this regard we appreciate any help you can offer on security 


b6 

b7C 

b7E 


5/10 





3/3/2017 


Zimbra 


best practices and specific security implementations that will allow us to 
secure the site. 


This morning we implemented 


Please le j l and I know if you have any insights that will help 
accomplish this goal, as well as get a local firewall set up to allow us to 
monitor access through logs. 


Thank you. 


KSU Center for Election Systems 
3205 Campus Loop Road 
Kynnesaw CA TQ144 
p|_|F: 470-578-9012 


b6 

b7C 
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On Aua 29.2016. at 11 :31 AM, Stephen C. Gay < 
wrote: 


Michael, 

Thanks for reaching out and we stand on ready to help. The source email 
domain, <frtip;//basyfcaaH>; bas08le.net < <iittg.:.//.b.asSllgxaea>; 

has a valid domain registration through GoDaddy and 

located in Atlanta: 


Registry RegistrantlQ:_ 

Registrant Name:_ 

Registrant Organization: Bastille Networks 
Registrant Street: 1000 Marietta St NW 
Registrant Street: Suite 112 
Registrant City: Atlanta 
Registrant State/Province: GA 
Registrant Postal Gode: 30318 
Registrant Country: US 
Registrant Phone: +1.7328200096 
Registrant Phone Ext: 

Registrant Fax: 

Registrant Fax Ext: 

Registrant Email: 

domains eifaastilienetwo tte.mm < <rnailto:domains(S>bastiitert etworks.cQm > 
maiits:domainsia>bastiSjenetwo;'ks.com > 


b6 

b7C 


We don't put internal domain blocks in place unless we detect a spike in 
phishing or vulnerability scanning from that domain which, at this point, 
isn't the case for <MtR:/ibaMteaieli>; b astiiie.net < 

<http://lj astilie.net/> ; Ills ubdl lilceht rhar t-hp_ 

tester utilized Gooole searches on the!___ 


t 


domain which included file extensions, along 
with HTML Headers which include the service versions. 


Here the the Google search string which reveals the document he references 
".pdf site:elections.kennesaw.edu“ 

Reporting precincts with cards - 
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that gives away the use of 


b7E 


It is reasonable to assume that these types of unsolicited requests are 
going to increase leading up to the general election in November and we 
stand on ready to offer application security analysis and recommendations. 

In turn, I would highly recommend the use of an server based firewall/IDS to 
track this activity (specifically brute force attempts on the login page) 
and ensure that all access are logged. 


I am cc'ing 2 members of my team, Mr. 


bnd Mr 


to 


advise on operating sMstem/application vulnerabilities and provide advice on 


mitigating strategies! 
assist in any way please let me know. 


will act as your point of contact and if I can 


In service, 

Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & LUTS Executive Director 

Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 
Technology Services Bldg, Room 031 
1075 Canton PI, MB #3503 
Kennesaw, GA 30144 
Phone: (470) 578-6620 

Fax: (470) 578-9050 _ 


-Original Message — r- 

From: "Michael Barnes" <| 


To: "Stephen C Gav" \ 


□ 

u 

! 1 — 

Cc: "Merle Kina” <\ 1 





Sent: Monday, August 29, 2016 9:24:30 AM 
Subject: FW: IMPORTANT! concerning the security of 


Stephen, 


b6 

b7C 


We received an unsolicited email over the weekend from 


The 


content of the email has engaged our staff and we are looking into these 
claims regarding the security of our website. Would you please add this 
individual and the organization he claims to be affiliated with tn the list 

of tp aririrpowc mnct- recently black listed? Also, our IT staff,_ 

and_|wili be reaching out to you and your staff to see what 

assistance your group can provide us in pinging our site to verify that we 
are addressing security issues within our site. 


b7E 
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Thank you in advance. 


Michael Barnes 
Director 

Center for Election Systems 
Kennesaw State University 
3205 Campus Loop Road 
Kennesaw, GA 30144 
ph: 470-KSU-6900 
fax: 470-KSU-9012 


From: Merle S. King 
Sent: Sunday, Aug ust j:bb~PFT 

To: Steven Dean <1 " 


<<\ 

1 

Cc: Michael Barnes 


Subject; Fwd: UMPORTANT) concernino the securitv of 





b6 
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Steven and Jason - Please review this email and advise. Sooner is better 
than later. 


Thanks, 


MSK 


From: k 



1 - 

_Try "Mprip k~inn H 4 _ 




Cc: 

r 





Sent: Sunday, August 28, 2016 3:47:50 PM 
Subject: [IMPORTANT] concerning the security of 


b6 

b7C 
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Hello Merle, 


My name is 


and I'm a cybersecurity researcher who is a member of 


Bastille Threat Research Team. We work to secure devices against new and 
existing wireless threats: <http s://www.b astille.net/>; 



went 

to Fulton County Government Center to speak wit H I about securing 

voting machines against wireless threats. I was then directed to contact you 
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and the center. I’d like to collaborate with you on securing our state's 
election systems infrastructure against wireless attacks. 

While attempting to get more background information on the center prior to 
contacting you, I discovered serious vulnerabilities affecting 


The following google searches reveal documents lhat shouldn't be indexed and 

appear to be critical to the elections process. In addition ] 1 

install 

needs to be immediately! ~| 


I generally use this type of search to find documents on websites that 
lack 

search functionality. This search revealed a 

Assume any document that requires authorization has already been downloaded 
without authorization. 


"$ite:eleqion ? .kgnnesaw.edu <|_ 

L&A" 

The second search result appears to be fot[ 


b7E 


If you have any questions or concerns please contact me. I'm able to come to 
the 

center this Monday for a more thorough discussion. 


Take care. 
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Merle S. King 


Executive Director 
Center for Election Systems 
Kennesaw State University 
3205 Campus Loop Road 
Kennesaw, Georgia 30144 


Voice: 470-578-6900 
Fax: 470-578-9012 
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According to 


Untitled 

this should access the 
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•U.s. GPO 


FD-597 (Rev 8-11-94) 

UNITED STATES DE 
FEDERAL BUREA1 
Receipt for Property Rece 

File # 


On (date) 



(Name) 

C.' <^-v/ 


" 1 

(Street Address) f- ^ 

1 D^O / cU<J 

L 


(City)_ C<S < A.lA-€’ , &-h 


Description of Item(s):_ 

_ I _ ^ ..... fe j 


(- 305 - 792/81146 


Page j oi 

PART MENT OF JUSTICE 
U OF INVESTIGATION 
ived/Returned/Released/Seized 


item(s^Jisted below were: 
[ 2 p-Keceived From 
[21 Returned To 
2] Released To 
□ Seized 







UNCLASSIFIED 

Physical 1A/1C Cover Sheet for Serial Export 


Created From: 


Package: 1A8 

Stored Location: None 


Summary: 

Acquired By: 
Acquired On: 
Acquired From: 


Attachment: 


(U) One Blue Verbatim 
Fl ash Drive 

sa I 

2017-03-03 

(U) CISO Stephen Gay 

Kennesaw State 
University 

(U) One Blue Verbatim 
Flash Drive 
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FD-1036 (Rev. 10-16-2009) 

UNCLASSIFIED 
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BUREAU OF INVESTIGATION 

Import Form 


Form Type: OTHER Date: 03/15/2017 

Title: (U) Election-related files and usernames 


Approved By: SSA 


Drafted By : SA 


Case ID #: 


(U) UNSUB(S); 

KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U) On March 06, 2017, Stephen Gav. CISO. K ennesaw State 

University, provided Special Agent with documents 

associated with Election-related files and usernames for the Center 
for Elections website. 
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♦ ♦ 


UNCLASSIFIED 
















FD-302 (Rev. 5-8-10) 


- 1 of 2 - 

FEDERAL BUREAU OF INVESTIGATION 
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Date of entry 


03/17/2017 


date of birth (DOB) 


was interviewed at 30 


Trammell Street SW, Marietta, Georgia. After being advised of the 
identity of the interviewing Agents and the nature of the interview, 
provided the following information: 


During the interview, 


present. The interview was conducted at 
located at 30 Trammell Street SW, Marietta, Georgia. 


attorney. 



_ 

1 Marietta Office 


O n Wednesday, 
from 


March 1, 2017, 


stated he received a text message 


who is a security researcher and very active in the 
unity about a possible cyber security issue at Kenne 


State University (KSU). 

subseguentlv spoke on the phone b6 

on the same dav. 

informed 

that he recently had dinner with b7c 

b7E 

at a company named Bastille. 

who is aj 

During this dinner, told about multiple vulnerabilities that 


he discovered with the KSU's Center for Elections Sy stem 

(plyctibns.kynnpsaw.edu) . One <?£ the vulnerabilitiegl ~ 


(CES) website 




also informed 


that 


vulnerabilities in the CES website ) 

oack i 


| had pre viousl v discovered 
_reported the 


vul nerabil ities to KSU who supposedly fixed it. 
met 


stated he has never 


After speaking with 


navigated to the website 


stated he got out his laptop and 


I 


□ 


After verifying the vulnerability, |_ 


Jimmediately 


contacted Stephen Gay who is the Chief Information Security Officer at 
KSU. recalled the notification was around 9:30 pm approximately. 


Investigation on 03/10 at Marietta, Georgia, United States (In Person) 


File# 


Date drafted 03/14/2017 

by 
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This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 










FD-302a (Rev. 05-08-10) 


Continuation of FD-302 of 


(U) Interview of 


03/10 

/2017 


2 of 2 


On Thursday, March 2, 2017, Gay contacted Gay wanted | ] to 

docume nt the steps he took to verify the vulnerability. In addition, Gay 
wanted to contact the securi ty researchers and determine how they 

verified the vulnerability. | | stated he collected the requested 

information and provided it to Gay via email on the same day. 

stated the security researchers wanted to responsibly disclose the 
vulnerabilities so KSU could have time to mitigate the issues. Once 
mitigated, the security researchers wanted to discuss issuing a public 
notification so they could get credit for finding the 

vulnerabilities. The security researchers never demanded any money for 
finding the vulnerabilities. 


On Friday, March 3, 2017, |_| communicated with via text 

message after seeing news r eports about a securit y incident at KSU's CES 
and the FBI being involved. stated was surprised to see the 

security incident in the news but thought tne FBi being involved was a 
good thing. 

_ stated he knew Merle King who is the Executive Director at KSU's 

CES. However, he has not spoken to King in approximately two years. King 
reached out to | | about potentially conducting a penetration test 

against the CES website the last time the two spoke but the test never 
happened. 


via text 


|_[provided]_| phone number|_| and a copy of his 

email exchanges with KSU. A copy of the emails will be maintained in the 
1A section of the case file. 
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Conversation with 


Notebook: 

Created: 


_notebook 

3/1/2017 8:46 PM 


Author- 


UDdated: 3/1/2017 9:06 PM 

Location: Cherokee Countv. Georaia. United... 





■ Bastille Networks - contact through 
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Re: Vulnerability on the elections.kennesaw.edu website 


From 


Thu, Mar 02, 2017 08:00 PM 


Subject : Re: Vulnerability on the elections.kennesaw.edu website 


To 


C. Gay 


, Stephen 


Heard back from the researchers, here's what they shared with me: 


I b6 

b7C 

b7E 

Thanks 



Michael J. Coles College of Business 

JCennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 


Kennesaw. GA 301 44- 559 






Ph: 




Burruss Building, Room 



- - 7-3656d7065722070617261747573 


From; 



To:|_ 


"Stephen C. Gay" 



Sent: Thursday, March 2, 2017 2:56:45 PM 

Subject: Re: Vulnerability on the elections.kennesaw.edu website 






J/O/.'UI I 
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_|and Stephen, 

I'm in the process of reaching out to the researcher(s) now, and will get back to you with any 
details they provide to me. 


Please let me know if you need anything else. 
Thanks 


Michael 3 . Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

~ “"‘560'Parliament Garden Way IMW, MD 0405 
Kennesaw, GA 30144-5591 


Rh: I I —— 

Burruss Building, Room I I 

73656d7065722070617261747573 



- -Sent: Thursday, March 2, 2017 6:44:22 AM 

Subject: Re: Vulnerability on the elections.kennesaw.edu website 


Good morning. We are actively investigating this incident, specifically fonisinn on 


b6 
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b7E 


2/4 







u;u/^.u i / 


Zimbra 


_|is coordinating the incident so if you could please send the information to him (cc'd 

on this email) I would appreciate it. 

Thank your 


Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director 
_ Information Security Office 
University Information Technology Services (UITS) 

Kennesaw State University 
Technology Services Bldg, Room 031 
1075 Canton PI, MB #3503 
Kennesaw, GA 30144 
Phone: (4701 578-6620 
Fax: (4701 578-9050 

b6 

- b7C 

"- '. b7E 

-Qrininal Mpssane-- 

From :|__ 

To: "Stephen C Gay"_ 

Sent: Wednesday, March 1, 2017 9:55:27 PM 

Subject: Vulnerability on the elections.kennesaw.edu website 


Stephen, 


Thanks for taking the time to talk with me tonight. As I mentioned during our call, I was 
contacted by a friend in the s ecurity s pace here in Atlanta earlier tonight. My friend relayed 


to me the existence of a 
elections.kennesaw.edu website. The vulnerability allows for 


vulnerability that a friend n f h is Inr a ted nn t h e 


My friend shared with me that the[ 






I was able to verify the presence of the vulnerability mvself. and was ahle tnl 


1 K 

— .. 





I'm told the researcher works for a reputable organization. I'm also told that the organization 
may be interested in going public with this at some point, due to the seriousness of the 
matter as well as the related publicity it would generate for the organization. My sense is that 
there is a desire to go public in a coordinated, responsible manner, in order to give the 
university appropriate time to remediate the vulnerability. This is certainly not set in bedrock, 
as I'm just the middleman here. However, given that the y reached out to me as opposed to 
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releasing to the public, I'm hopeful that my sense is correct. 

If I can be of further service, including facilitating communication between all parties, please 
don’t hesitate to let me know. 

Thanks 

b6 

b7C 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education - 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591_ 


Ph i I ' ' 

Burruss Building, Room | ~~| 

73656d7065722070617261747573 


b7E 
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Re: Vulnerability on the elections.kennesaw.edu website 


From : 


Thu, Mar 02, 2017 02:56 PM 


Subject : Re: Vulnerability on the elections.kennesaw.edu website 


To 


C. Gay 


, Stephen 


bnd Stephen, 


I'm in the process of reaching out to the researcher(s) now, and will get back to you with any 
details they provide to me. 


b6 
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Please let me know if you need anything else. 


Thanks 



Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
KehnesawZGA 30144-5591_ 




Ph: 



Burruss Building, Room 


73656d7065722070617261747573 


Fro m: "Stephen C. Gay" 

To: 

Cc: 
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Sent: Thursday, March 2, 2017 6:44:22 AM 

Subject: Re: Vulnerability on the elections.kennesaw.edu website 


Good morning. We are actively investigating this incident, specifically focusing on the scope 
of data disclosure. With that in mind, we are seeking your assistance in determining when 



_|is coordinating the incident so if you could please send the information to him (cc'd 

on this email) I would appreciate it. 


Thank your 


Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director 

Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 
Technology Services Bldg, Room 031 
1075 Canton PI, MB #3503 
Kennesaw/GA 30144 
Phone: (470) 578-6620 
Fax: (470) 578-9050 


- Original Message- - 

From : | 

To: "Stephen C Gay" <sgay@kennesaw.edu> 

Sent: Wednesday, March 1, 2017 9:55:27 PM 

Subject: Vulnerability on the elections.kennesaw.edu website 


b6 

b7C 

b7E 


Stephen, 


— Thanks for-taking the time to talk with me tonight. As I mentioned during our call, I was 
contacted by a friend in the security spa ce here in Atlanta earlier tonight. My friend relayed 
to me the existence of a vulnerability that a friend of his located on the 

elections.kennesaw.edu website. The vu lnerability allows) - 
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_ £m told the-researcher works for a reputable organization. I’m also told that the organization 
may be interested in going public with this at some point, due to the seriousness of the 
matter as well as the related publicity it would generate for the organization. My sense is that 
there is a desire to go public in a coordinated, responsible manner, in order to give the 
university appropriate time to remediate the vulnerability. This is certainly not set in bedrock, 

" as I'm just the middleman here. However, given that they reached out to me as opposed to 
releasing to the public. I'm hopeful that my sense is correct. 

If I can be of further service, including facilitating communication between all parties, please 
- don't hesitate to let me know. 

Thanks 

b6 
b7C 
b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education . 

560 Parliament Garden Way NW, MD 0405 


73656d7065722070617261747573 
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Zimbra 


Re: Vulnerability on the elections.kennesaw.edu website 


- -From : Stephen C. Gay|_ 

Subject : Re: Vulnerability on the elections.kennesaw.e du website 

To 
Cc : 


Thu, Mar 02, 2017 06:44 AM 



b6 

b7C 

b7E 


is coordinating the incident so if you could please send the 
information to him (cc'd on this email) I would appreciate it. 

Thank you. 


Stephen C Gay CISSP CISA 

~ K5U Chief Information Security Officer & UITS Executive Director 
Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 
_Te.chnology-Services Bldg, Room 031 
1075 Canton PI, MB #3503 
Kennesaw, GA 30144 
Phone: (470) 578-6620 
Fax: (470) 578-9050 


-Original Message -- 

From: _ 

- -To: "Stephen C Gay" | I 

Sent: Wednesday, March 1, 2017 9:55:27 PM 
Subject: Vulnerability on the elections.kennesaw.edu website 


Stephen, 


Thanks for taking the time to talk with me tonight. As I mentioned during our 
call, I was contacted by a friend in the security space her e in Atlanta 
earlier tonight. My friend relayed to me the existence of a 
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vulnerability that a friend of his lo cated on the elections.kennesa w.edu 


website. The vulnerability al- 


is for 

.. 






I'm told the researcher works for a reputable organization. I'm also told 
—th-at-the organization may be interested in going public with this at some 
point, due to the seriousness of the matter as well as the related publicity 
it would generate for the organization. My sense is that there is a desire to 
go public in a coordinated, responsible manner, in order to give the 
___ujTiyersity_appropriate time to remediate the vulnerability. This is certainly 
not set in bedrock, as I'm just the middleman here. However, given that they 
reached out to me as opposed to releasing to the public, I'm hopeful that my 
sense is correct. 

~ T-P I~can be of further service, including facilitating communication between 
all parties, please don’t hesitate to let me know. 

Thanks 

" b6 

b7C 

b7E 


Michael J. Coles College of Business 

-K-ennesaw State University - A Center of Academic Excellence in Information 
Assurance Education 
560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 _ 




Ph: 1 1 



Burruss Building, Room 
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Re: Need to speak with you in-person 


From ;_ 

Subject : Re: Need to sp eak with you in-person 
To : Stephen C, Gay 


Wed, Mar 01, 2017 09:56 PM 


I think our emails passed each other, you should have the details now. 


Thanks 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


m _r 

Burruss Building, Room 


73656d7065722070617261747573 


b6 
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Fr om: "Stephen C. Gay" I _ 

To:| 

-Sent: Wednesday, March 1, 2017 9:47:49 PM 

Subject: Re: Need to speak with you in-person 


I've got the team on standby and we are awaiting the information on the conduit for the 
alleged breach. Please send to me as soon as possible. 

Stephen C Gay CISSP CISA 

KSUChief Information Security Officer & UITS Executive Director 

Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 

_Technology-Services Bldg, Room 031 _ 
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1075 Canton PI, MB #3503 
Kennesaw, GA 30144 
- Phone: (470) 578-6620 
Fax: (470) 578-9050 


Qrininal Message 


From 

To: "Stephen C Gay" 

Sent: Wednesday, March l, 201/ y:2/:33 PM 
Subject: Re: Need to speak with you in-person 


This needs to happen immediately. It's that serious. 


Can you talk now, by phone? 
Thanks 


Michael X Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591_ 


| - 

— Burruss Building, Room 


73656d7065722070617261747573 


b6 
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From; "Stephen C. Gay 


ii 



To:|_ 

Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 


I'm closing on a house tomorrow and will be out of the office until Monday, then afterwards 
— to Friday. Gan we meet on Monday, or can I call you on Friday? 

Stephen 

_ Sent from Nine _, 
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From: 


Sent: Mar 3~ 2017 9:23 PM 


To: Stephen C. Gay 

Subject: Need to speak with you in-person 


Stephen, 

I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 

— Please let me know when make time to meet with me. 


Thanks 

b6 

b7C 

b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
- Education - 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 _ 


m _I. 

Burruss Building, Room [ 
73656d7065722070617261747573 
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Vulnerability on the elections.kennesaw.edu website 


From _ Wed, Mar 01, 2017 09:55 PM 

Subject : Vulnerability on the elections.kennesaw.edu website 
To : Stephen C. Gay 

Stephen, 

Thanks for taking the time to talk with me tonight. As I mentioned during our call, I was 
contacted by a friend in the security sp ace here in Atlanta earlier tonight. My friend relayed 
to me the existence of a | | vulnerability that a f riend of his located on the 

elections.kennesaw.edu website. The vulnerability allows foj 1 



I'm told the researcher works for a reputable organization. I’m also told that the organization 
may be interested in going public with this at some point, due to the seriousness of the 
matter as well as the related publicity it would generate for the organization. My sense is 
that there is a desire to go public in a coordinated, responsible manner, in order to give the 
university appropriate time to remediate the vulnerability. This is certainly not set in 
bedrock, as I'm just the middleman here. However, given that they reached out to me as 
opposed to releasing to the public. I'm hopeful that my sense is correct. 


If I can be of further service, including facilitating communication between all parties, please 
don't hesitate to let me know. 


Thanks 
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Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw.~GA 30144-5591 _ 


Ph: I _ 

Burruss Building, Room)_| 

73656d7065722070617261747573 
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Re: Need to speak with you in-person 


From : Stephen C. Gay 

Subject : Re: Need to sneak with you in-person 

... ~ To 


Wed, Mar 01, 2017 09:47 PM 


I've got the team on standby and we are awaiting the information on the 
--conduit for the alleged breach. Please send to me as soon as possible. 

Stephen C Gay CISSP CISA 

KSU Chief Information Security Officer & UITS Executive Director 
Information Security Office 

University Information Technology Services (UITS) 

Kennesaw State University 
Technology Services Bldg., Room 031 
1075 Canton PI, MB #3503 
- Kennesaw, GA 30144 
Phone: (470) 578-6620 

Fax:(470) 578-9050 b7c 

b7E 



Original Me^arp-- 


From:1 



1 

To: "Stephen C Gay" 




Sent: Wednesday, March 1, 2017 9:27:33 PM 
'Subject: Re: Need to speak with you in-person 


This needs to happen immediately. It's that serious. 
Can you talk now, by phone? 

Thanks 


Michael 3. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information 

Assurance Education 

560 Parliament Garden Way NW, MD 0405 
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Kpnnesaw. GA 30144-5591 





Ph: 




Burruss Building, Room 


73656d7065722070617261747573 b6 

b7C 

b7E 

Fro m: "Stephen C. Gay" 

To: | | 

Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 


I'm closing on a house tomorrow and will be out of the office until Monday, 
then afterwards to Friday. Can we meet on Monday, or can I call you on 
Friday? 

Stephen 


Sent from Nine 


From: |_| 

Sent: Mar 1, 2017 9:23 PM 
To: Stephen C. Gay 

-Subject: Need to speak with you in-person 
Stephen, 

I need to speak with you in-person regarding a very sensitive matter. Due to 
the importance of the issue, this conversation needs to happen immediately. bg 

b7C 

Please let me know when make time to meet with me. b 7 E 


- --Thanks 


Mithael 3.“Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information 
Assurance Education 
560 Parliament Garden Way NW, MD 0405 
--Kennesaw, GA 30144-5591 
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b6 

b7C 

b7E 



73656d7065722070617261747573 
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Re: Need to speak with you in-person 


From : Stephen C. Gay 

Subject : Re: Need to speak with you in-person 

- - To : 


Sure, give me a call on my cell 


Stephen 


Wed, Mar 01, 2017 09:28 PM 


Sent from Nine 


From :|_ 

Sent: Mar 1, 2017 9:27 PM 

k>6 

To: Stephen C. Gay b 7 C 

Subject: Re: Need to speak with you in-person b7E 


Thimeedslo happen immediately. It's that serious. 
Can you talk now, by phone? 

Thanks 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw,.GA,.30144-5591_ 


FFt: — 

Burruss Building, Room 


73656d7065722070617261747573 


From: "Stephen C. Gay" 

To: I 


1/2 







O/UJv'AJ I I 


Zimbra 


Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 


— I-m eiosing^on a house tomorrow and will be out of the office until Monday, then afterwards 
to Friday. Can we meet on Monday, or can I call you on Friday? 

Stephen 

Sent from Nine 


From^_ 

Sent: Mar 1,2017 9:23 PM 
To: Stephen C. Gay 

Subject: Need to speak with you in-person 


Stephen, 

I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 

“ Please let me know when make time to meet with me. 

Thanks 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education ~ 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591 


Phil__ ._. 

Burruss Building, Room |_| 

73656d7065722070617261747573 


b6 

b7C 

b7E 
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s5/0/ZU I ( 


zimDra 


Zimbra 


Re: Need to^speak with you in-person 


From 

•- Subject : Re: Need to speak with you in-person 
To : Stephen C. Gav l 

This needs to happen immediately. It's that serious. 
Can you talk now, by phone? 

Thanks 


Wed, Mar 01, 2017 09:27 PM 


b6 

b7C 

b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591_ 


Ph i r 

Burruss Building, Room 


73656d7065722070617261747573 


From: "Stephen C. Gav" 


Sent: Wednesday, March 1, 2017 9:26:08 PM 
Subject: Re: Need to speak with you in-person 


I'm closing on a house tomorrow and will be out of the office until Monday, then afterwards 
to Friday. Can we meet on Monday, or can I call you on Friday? 

Stephen 

_Spnt from Ninfi_, 


1/2 







0/0/ZU I / 


Zimbra 


From: 

Sent: Mar 1, 2017 9:23 PM 
To: Stephen C. Gay 

Subject: Need to speak with you in-person 

Stephen, 

I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 

Please let me know when make time to meet with me. 

Thanks 

I-1 b7E 


Michael J. Coles College of Business 

- Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw. GA 30144-5591 _ 


pfir l 

Burruss Building, Room 


- - ?3656d7065722070617261747573 


2/2 




z.imDra 


3/B/2U1/ _ 

Zimbra 


- Re: Need to speak with you in-person 



Wed, Mar 01, 2017 09:26 PM 


I'm closing on a house tomorrow and will be out of the office until Monday, then afterwards 
to Friday. Can we meet on Monday, or can I call you on Friday? 


-Stephen ~ 

/V re¬ 

sent from Nine b6 

b7C 

- From: | | b7E 

Sent: Mar 1, 2017 9:23 PM 
To: Stephen C. Gay 

Subject: Need to speak with you in-person 
Stephen, 


I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 

Please let me know when make time to meet with me. 

Thanks 


Michael J. Coles College of Business 

-Kennesaw State University - A Center of Academic Excellence in Information Assurance 

Education 

560 Parliament Garden Way NW, MD 0405 
Kennesaw, GA 30144-5591_ 







^PFTT 


r 

Dm 



Burruss Building, Ro< 



1/2 












^imora 


Zimbra 


Need to speak with you in-person 


From :j_ 

Subject : Need to speak with you in-person 
To : Stephen C. Gay_ 


Wed, Mar 01, 2017 09:23 PM 


Stephen, 

I need to speak with you in-person regarding a very sensitive matter. Due to the importance 
of the issue, this conversation needs to happen immediately. 


Please let me know when make time to meet with me. 
Thanks 


b6 

b7C 

b7E 


Michael J. Coles College of Business 

Kennesaw State University - A Center of Academic Excellence in Information Assurance 
Education _ 

560 Parliament Garden Way NW, MD 0405 
Kennesaw. GA 30144-5591_ 





Ph: 


--- 


Burruss Building, Room 


73656d7065722070617261747573 



i/i 
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FEDERAL BUREAU OF INVESTIGATION 




Date of entry 


03/27/2017 



date of birth 


was interviewed 


at his residence located at |_| Atlanta, Georgia. After 

being advised of the id entity of the interviewing Agents and the nature of 
the interview,_provided the following information: 


I Web Sight (website.io) 


In addition, 


stated he and 


who is aI 


at the 


company Bastille have been working together on research where they have 
identified several security vulnerabilities in a particular type of 

softw are. In following the responsible disclosure protocol, _ and 

_notified the software company of the vulnerabilities. They are 

working with the company to resolve the vulnerabilities and potentially 
present their research at the Defcon Cyber Security Conference in Las 
Vegas, Nevada this year. 


house 


ssite. 


On Wednesday, February 22, 2017, | | were at_house 

working on the resea rch mentioned above. During one of their 
conversations, ! ~| stated he wished he could have published his research 
on the Kennesaw State University's (KSU) Center of Elections (CES) 

Websi te. I I had found several security vulnerabilities with the web site. 

_discussed his findings with his supervisors at Bastille._ 

supervisors stated there was no way in hell t hey wanted to report on 
anything related to elections. However, ! | still notified KSU CES 

directly of his findings who supposedly resolved the issues. 

_ stated he and | [ decided to see if KSU actually resolved the 

issues. In conducting some bas ic searches, they immediately discovere d ! I 
vulnerabilities for the| \ on 

the KSU CES website that allowed f ' 


stated he and 


^search at 


house. 


was using the 


Idid not know if I 


was usrng 


or not. In addition, 


Investigation on 03/16 


Atlanta, Georgia, United States (In Person) 


Date drafted 03/17/2017 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 











FD-302a (Rev. 05-08-10) 


Continuation of FD-302 of 


(U) Interview of 


.On 


03/16 
/ 2017 


. Page 


2 of 2 


used the followin g three programs to test the website: 


stated he was very concerned about the security vulne rabilitie s 


in the KSU CES webs ite. A fter about a week of thinking about it, 


stated he c ontacted 
findings to 
previously met 
Georgia. 

On March 01, 2017, 


and told him that he was going to report their 


who is a professor at KSU. 


stated he had 


at one of the Atlanta B-Sides conferences in Atlanta, 


notified 


stated he accessed 


the KSU CES website again while discussing the vulnerabilities with 


During this time, 


accessed the website from his residence using 


Fiber and not the VPN service previously used.j 


stated he believes 

the IP address assianed to him durina this tim 

e wasl 

i- 


also provided his IPv6 IP address 



assigned by Google Fiber. 


|_| stated that he only downloaded one database file from the KSU 

CES website as a proof of concept during all of his research but had 
already deleted the file from his computer. 


b3 

b6 

b7C 

b7E 
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FEDERAL BUREAU OF INVESTIGATION 




Date of entry 


03/27/2017 


On March 17, 2017, Special Agent (SA)|_returned the 

Center of Elections (CES) server collected on March 03, 2017 to Stephen 
Gay who is the Chief Infor mation Security Officer at Kennesaw State 
University. In a ddition, SA provided Gay with a CD containing a 

spreadsheet with 
logs . 


Copies of the FD-597 Receipt of Property and the spreadsheet provided 
to Gay will be maintained in the 1A section of the case file. 


Investigation on 03/17 


Kennesaw, Georgia, United States (In Person) 


Date drafted 03/27/2017 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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FD-1036 (Rev. 10-16-2009) 


UNCLASSIFIED 




€$FF8&8&&. 


FEDERAL BUREAU OF INVESTIGATION 

Import Form 


Form Type: OTHER 


Date: 03/30/2017 


Title: 


(U) 


Preservation Letter 


Approved By: SSA 


Drafted By : SA[ 


Case ID #: 


(U) UNSUB(S); 

KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


b3 

b6 

b7C 

b7E 


Synopsis: (U) 



Preservation Letter for 





♦ ♦ 


UNCLASSIFIED 










U.S. Department of Justice 



Federal Bureau of Investigation 


2635 Century Parkway NE 
Atlanta, Georgia 30345 
March 29, 2017 


Dear Custodian of Records: 

This letter will serve as a formal request for the 
preservation of records and other evidence pursuant to Title 18, use. 

Section 2703(f) pending further legal process. 

You are hereby requested to preserve, for a period of 90 
days, the records described below currently in media, in a form that 
includes the complete record. You also are requested not to disclose 
the existence other than is necessary to comply with this request. 

You are further requested not to terminate the account listed in this 
request if such termination is solely due to the receipt of this 
request. Further, allowing this account to remain active may assist 
Law Enforcement efforts. 

This request applies only retrospectively. It does not in 
any way obligate you to capture and preserve new information that 
arises after the date of this request. 

This preservation request applies to the following records 
and evidence: 

~~ ' b6 

b7C 

b7E 


1 









FD-448 


FEDERAL BUREAU OF INVESTIGATION 


Revised 

10-27-2004 


FACSIMILE COVER SHEET 


PRECEDENCE 


O Immediate 

O Priority 



Routine 

class;fication 

O T°P Secret O Secret 


O Sensitive 


O Unclassified 

TO 

■ 

I 

! 

i 








1 

03/29/2017 

Attn: 




■ 

Telephone Number: 

Custodian of Records 






FROM 


Name of Office: 

FBI Atlanta 

Number of Pages: (including cover) 

3 

Orifl 

3 




umber: 

Originator's Facsimile Number: 

404-679-1417 





Approved 1 . 


_ DETAILS 

Subject: 

Preservation Letter 


Special Handling Instructions: 


Brief Description of Communication Faxed: 


WARNING 

Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this information disclosure, 
reproduction, distribution, or use of this information is prohibited (18.USC, § 641). Please notify the originator or local FBI Office 
immediately to arrange for proper disposition. 


b6 

b7C 

b7E 


FD-448 (Revised 10-27-2004) 


Page 1 of 1 


FEDERAL BUREAU OF INVESTIGATION 




















FD-1036 (Rev. 10-16-2009) 

FEDERAL 

UNCLASSIFIED 

BUREAU OF INVESTIGATION 

Import Form 


Form Type 

: OTHER 

Date: 

03/30/2017 

Title: (U) 


Preservation Letter 

b6 

b7C 


Approved By: SSA 


b7E 


Drafted By : SA 


Case ID #: 


(U) UNSUB(S); 

KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 


Synopsis: (U) 


Preservation Letter for 

The preservation letter was assigned! 




♦ ♦ 


UNCLASSIFIED 









U.S. Department of Justice 



Federal Bureau of Investigation 


2635 Century Parkway NE 
Atlanta, Georgia 30345 
March 29, 2017 


b6 

b7C 

b7E 


Dear Custodian of Records: 

This letter will serve as a formal request for the 
preservation of records and other evidence pursuant to Title 18, use. 
Section 2703(f) pending further legal process. 

You are hereby requested to preserve, for a period of 90 
days, the records described below currently in media, in a form that 
includes the complete record. You also are requested not to disclose 
the existence other than is necessary to comply with this request. 
You are further requested not to terminate the account listed in this 
request if such termination is solely due to the receipt of this 
request. Further, allowing this account to remain active may assist 
Law Enforcement efforts. 

This request applies only retrospectively. It does not in 
any way obligate you to capture and preserve new information that 
arises after the date of this request. 

This preservation request applies to the following records 
and evidence: 


1 













288A-AT-2141248 Serial 12 






j 

FD-1036 (Rev. 10-16-2009) 


'Rspl 


j 


UNCLASSIFIED 


f ncWoo MS 



FEDERAL BUREAU OF INVESTIGATION 


Import Form 


Form Type: OTHER Date: 03/30/2017 



Case ID #: 288A-AT-2141248 (U) UNSUB(S); 

KENNESAW STATE UNIVERSITY - VICTIM; 
COMPUTER INTRUSION - CRIMINAL MATTER; 



♦ ♦ 


UNCLASSIFIED 










U. S . Department, of Justice 



Federal Bureau of Investigation 


2635 Century Parkway NE 
Atlanta, Georgia 30345 
March 29, 2017 


b6 

b7C 

b7E 


Dear Custodian of Records: 

This letter will serve as a formal request for the 
preservation of records and other evidence pursuant to Title 18, use. 
Section 2703(f) pending further legal process. 

You are hereby requested to preserve, for a period of 90 
days, the records described below currently in media, in a form that 
includes the complete record. You also are requested not to disclose 
the existence other than is necessary to comply with this request. 
You are further requested not to terminate the account listed in this 
request if such termination is solely due to the receipt of this 
request. Further, allowing this account to remain active may assist 
Law Enforcement efforts. 

This request applies only retrospectively. It does not in 
any way obligate you to capture and preserve new information that 
arises after the date of this request. 

This preservation request applies to the following records 
and evidence: 


1 













FD-1036 (Rev. 10-16-2009) 


UNCLASSIFIED 
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FEDERAL BUREAU OF INVESTIGATION 

Import Form 


Form Type: UNET-EMAIL Date: 04/04/2017 

Title: (U) Email from Stephen Gay, KSU 


Approved By: SSA 


J b3 

b6 
b7C 

(U) UNSUB (S); b7E 

KENNESAW STATE UNIVERSITY - VICTIM; 

COMPUTER INTRUSION - CRIMINAL MATTER; 

Synopsis: (U) Email from Step hen Gay, CISO, KSU, dated March 21, _ 

2017. The email was related tol * 1 


Enclosure(s) : Enclosed are the following items: 
1. (U ) Excel Spreadsheet containing 


Drafted By : SA 


Case ID #: 


♦ ♦ 


UNCLASSIFIED 









Stephen C Gay CISSP CIS A 

KSU Chief Information Security Officer & UITS Executive Director Information Security Office University 

Information Technology Services (UITS) Kennesaw State University Technology Services Bldg, Room 031 

1075 Canton PI, MB #3503 

Kennesaw, GA 30144 

Phone: (470) 578-6620 

Fax: (470) 578-9050 


b6 

b7C 

b7E 
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FEDERAL BUREAU OF INVESTIGATION 




Date of entry 04/12/2017 


On March 30, 2017, representatives from the Atlanta Division of the 
Federal Bureau of Investigation (FBI) as well as the United States 
Attorney's Office, Northern District of Georgia (USAO-NDGA), met with 
executives of Kennesaw State University (KSU) in the KSU Presidential 
Boardroom. The individuals in attendance included: 


Federal Bureau of Investigation 


Supervisory Special Agent 

_ _ Special Agent 

_ Special Agent 


b3 

b6 

b7C 

b7E 


United States Attorney's Office 

Deputy Chief, Criminal Division 
Assistant United States Attorney 


Kennesaw State University 


Samuel S. Olens, President 

Lectra Lawhorne, Chief Information Officer/VPIT 

Stephen C. Gay, Chief Information Security Officer 

Merle S. King, Executive Director, Center for Election Systems 


The purpose of the meeting was for the FBI and USAO to share 
information with KSU executives related to the alleged breach of a server 
associated with elections.kennesaw.edu. 


In summary, SSA 


KSU, 


of investigative findings related to 

the case. SSA 


advised during the 

course of the investigation, tl 

1 - —- a - 1 - 1 

le FBI 

1 


provided by 


and conducted rntervrews. During the 


investigation, the FBI identified a security researcher who found at least 


Investigation on 0 3/30 



at Kennesaw, Georgia, United States (In Person) 

File# 


r. 


Date drafted 04/10/2017 

by 


SA 




This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 
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b6 

b7C 

b7E 
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(U) FBI/USAO-NDGA Meeting with KSU 
Continuation of FD-302 of Executives 


.On 


03/30 

/2017 


. Page 


2 of 2 


one vulnerability associated with elections.kennesaw.edu. The FBI provided 
the investigative findings to the NDGA USAO's office who determined no 
federal statute had been violated by the security researcher. 


ssa 


and 





AUSA 


advised KSU executives due to the limited 


provided by KSU, the investigation did not encompass the 


full scope of time the server may have been compromised. 


b3 

b6 

b7C 

b7E 


President Olens advised KSU was working with a third-party firm as well 
as Georgia Tech to review the security of their servers. He also praised 
the FBI and USAO's prompt investigation. 
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FEDERAL BUREAU OF INVESTIGATION 


Vo. 


b3 

b6 

b7C 

b7E 


Date of entry 10/23/2017 


Special Aqent (SA) 



into an alleged 


and SA 


conducted a 


Stated University (KSU) Center for Election Systems (CES) website 
(elections . kennesaw.edu) . Thel” 


No investigative activity has been conducted on the 


case since August 18, 2017. 


Sa | [ requests the evidence item IB-1 (one (1) Seagate 2 
S/N 5XW2AP34, containing im age of Dell PowerE dge R610 Server, 
be transferred to case file , Once completed, 
file will be closed. 


TB SATA HDD, 
S/N 96J2FQ1) 
the case 


b7A 


Atlanta, Georgia, United States 
Investigation on 10/20/2017 a j Evidence)) 

File# 


Other (Transfer of 


Date drafted 10/20/2017 


b3 

b6 

b7C 

b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and its contents are not 
to be distributed outside your agency. 








